AntiOnline Founder Under Fire

by James Glave

3:00pm 4.May.98.PDT

The founder of a computer-security Web site who published details of
recent hacker penetrations into government systems has been warned by a
Defense Department contractor that he may be considered an accessory to
the crimes.

John Vranesevich, founder of full-disclosure computer security Web site
AntiOnline, posted two emails that he and other AntiOnline members
received last week from a contractor with the Defense Information Systems
Agency (DISA). The emails, sent by a system administrator at the Denver
Defense Megacenter -- a financial administration center run by DISA --
suggested that Vranesevich "had knowledge of a crime and may be culpable."

[Full disclosure? Hardly. The page is nothing more than a
half-assed collection of articles on a handful of hacker groups. Many of JP's
original articles do not disclose full details of events.]

In recent weeks, AntiOnline has reported several penetrations of DISA
systems by crackers, and included screen shots of government programs and
sign-on screens as proof of the intrusions.

[Proof of the anonymous public FTP transfer isn't proof of anything.]

Vranesevich received the first DISA email on 28 April. The note, signed by
Peter Farrell, alleged that Vranesevich might "be liable for encouraging
further criminal activities against US Defense Department systems."

[It is my understanding that unless AntiOnline is considered
legitimate media, then having direct knowledge of their events and
withholding that information is obstruction of justice. Else, anyone
can throw together a web site and claim to be media to avoid that.]

However, Farrell stopped short of threatening specific legal action
against Vranesevich.

"We are not here to threaten you but to request your assistance in our
investigation of two attacks on one of our machines and to provide, if
requested, information on other attacks, successful or otherwise," wrote
Farrell.

"Your page also displays a copy of a government log-on screen and you
provide an interview with the supposed perpetrators. Their actions have
led us to shut at least one server down temporarily as one attacker in
particular attempted to spoof mail from the White House," Farrell
continued.

Vranesevich said the latter comment exposed the weakness of DISA's case.

"It's very simple to send mail to someone making them think it is from the
White House," said Vranesevich, who added that the letters were
"ridiculous." To prove the point, Vranesevich sent Wired News an email
from "president@whitehouse.gov."

[Using utils like 'rlytest', you can adequately test a mailer's
relay ability without forging mail like this. Any 'security expert'
should know this.]

"He [Farrell] wanted me to tell him of every crime against US computers
I've ever heard of happening, every attempt I've ever heard someone make
-- whether or not it was carried out -- what methods I thought they used,
how often I thought people did it," said Vranesevich.

"They want me to become the one-man, Janet
Reno-$64-million-computer-crimes task force, is what it sounded like," he
said.

In February, Attorney General Janet Reno said that she would be seeking
US$64 million to build a National Infrastructure Protection Center, which
would fight cybercrime and other threats to the US national
infrastructure.

Vranesevich said that he did not have any classified information, and that
he only publishes non-classified information about intrusions supplied to
him by hackers and crackers.

[Yet he had a copy of the software, and thought it so secretive,
he ran it after he disconnected from the Internet (reference _Have
Crackers Found Military's Achilles Heel?_ by James Glave). That seems
to contradict his claims of thinking it not classified.]

Jennifer Granick, a San Francisco criminal defense lawyer who has defended
hackers, said Vranesevich was probably on safe legal ground.

"You are not obligated to report crimes that you know about -- that is not
illegal," said Granick. "The mere publication of information that may
assist someone in breaking the law is not itself illegal," she added.

"[Vranesevich] is hoping that by providing this information it will help
security operators to improve their security," said Granick. "He has a
First Amendment issue there; he doesn't have any interest in promoting
criminal activity.

[What is he providing that will help? He is not telling
anyone which servers are vulnerable, how they were broken into, or
how to fix the problem.]

"[These letters] show one of the problems in the way that government has
dealt with computer security," she said. "They are hoping to protect
themselves by keeping the knowledge secret instead of improving their
systems by taking advantage of all the knowledge out there.

"It's like trying not to let the slaves read: If no one has any
information you can keep them down," she said.

Vranesevich said that the emails demonstrate "how hard a time the
government really has with the security of their systems, and tracking
people down after they've been breached."

The author of the emails, Peter Farrell, declined to elaborate. "The
matter has been escalated within DISA to a level above me, and I am not
authorized to comment," he said.

Meanwhile, officials at DISA headquarters said in a statement that Farrell
was not speaking on behalf of the agency. ,/p>

"The Defense Information Systems Agency is aware of the two letters sent
by Mr. Peter Farrell, a defense contractor employed at Defense
Megacenter-Denver," the statement said.